LOCAL out of the box user accounts

nagaklv
Tera Contributor

Hi All,

What is best practice for managing user accounts are used by the system ? At minimum, I need to change the password every 90 days per our company's policy.

soap.guest

bm.scheduler

instance.sec.user

ml_report.user

sharedservice.worker

ml.admin

virtual.agent

 

Please suggest me on this 

 

Regards,

Nagesh

 

 

 

4 REPLIES 4

Kieran Anson
Kilo Patron

There isn't an OOB function for this. You'd likely need to:

  • Add a custom field to the sys_user table that identifies the password last set date
  • Modify the installation exit to trigger an event that then triggers a script action to modify this custom field for 90 days in future
  • Scheduled job run daily to check custom field where date is today and set the 'password needs resetting' to true.

If these are only web service accounts, have you looked into moving away from basic auth and to oAuth?

Hi Kieran,

 

Thanks for reply

could you please explain more about the point 2 and 3 , appreciated if you can provide any script related to this  

 

 

Create a custom date field on sys_user table.

Add a BR to the sys_user table with a condition of 'Password needs resetting CHANGESTO False'

(function executeRule(current, previous /*null when async*/) {

	// Add your code here
	
	var date = new GlideDate();
	date.addDaysLocalTime(90);
	current.u_password_change = date;
	gs.eventQueue('user.password.changed',current,date);
})(current, previous);

Then use a scheduled job or flow to find all records where u_password_change is today and set "password needs reset" to true.

var userGR = new GlideRecord('sys_user');
userGR.addEncodedQuery('u_password_changeONToday@javascript:gs.beginningOfToday()@javascript:gs.endOfToday()');
userGR.query();
while(userGR.next()){
	userGR.setValue('password_needs_reset','true');
	userGR.update();
}

Appli
Mega Sage
Mega Sage

Hi Nagesh

Please consider implementing a password reset process where you will be able to specify required strength for passwords, lockout for failed logins, password auto-generation etc. and follow on password reset execution by checking password change log.

Thank you

 

Hope it helps